[rsyslog-notify] Forum Thread: Help With File Permission - (Mode 'post')
noreply at adiscon.com
noreply at adiscon.com
Thu Mar 30 19:42:33 CEST 2017
User: thejester2112
Forumlink: http://kb.monitorware.com/viewtopic.php?p=27238#p27238
Message:
----------
Hello, is there a way in which the permission for the directories and files
Rsyslog creates are define in a Global Directive versus in each actions of
the Ruleset? I've tried setting them as a global directive but the files
getting written as root. A number of searches show I needed to add the
[i:1r8zwla9]$umask[/i:1r8zwla9] set to 0000 but the files are still written
as root.
As show in the config below the only way I am able to get the files created
with the correct permissions is to have [i:1r8zwla9]if $msg contains "
%ASA-" then { action(type="omfile" FileCreateMode="0755"
DirCreateMode="0755" FileOwner="XXXX" FileGroup="XXXX" DirGroup="XXXX"
DirOwner="XXXX" dynaFile="$asa_dyn") stop }[/i:1r8zwla9] in the ruleset. I
was hoping to set it as a global setting and make the rulesets appear
cleaner and simpler like [i:1r8zwla9]if $msg contains " %ASA-" then {
action(type="omfile" dynaFile="$asa_dyn") stop }[/i:1r8zwla9]
Apologize for the messy config, I am new to Rsyslog and have a number of
issues I am trying to sort out and will likely be submitting more posts to
get those solved.
[b:1r8zwla9]VERSION[/b:1r8zwla9]
rsyslogd 8.25.0, compiled with:
PLATFORM: x86_64-redhat-linux-gnu
PLATFORM (lsb_release -d):
FEATURE_REGEXP: Yes
GSSAPI Kerberos 5 support: No
FEATURE_DEBUG (debug build, slow code): No
32bit Atomic operations supported: Yes
64bit Atomic operations supported: Yes
memory allocator: system default
Runtime Instrumentation (slow code): No
uuid support: Yes
Number of Bits in RainerScript integers: 64
See <!-- m --><a class="postlink"
href="http://www.rsyslog.com">http://www.rsyslog.com</a><!-- m --> for more
information.
[b:1r8zwla9]CONFIG[/b:1r8zwla9]
# rsyslog configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see <!-- m --><a class="postlink"
href="http://www.rsyslog.com/doc/troubleshoot.html">http://www.rsyslog.com/doc/troubleshoot.html</a><!--
m -->
$umask 0000
$fileOwner XXXX
$fileGroup XXXX
$FileCreateMode 0777
$DirCreateMode 0777
$EscapeControlCharactersOnReceive off
#### MODULES ####
# The imjournal module bellow is now used as a message source instead of
imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via
logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 2002
$ModLoad imklog
#### GLOBAL DIRECTIVES ####
# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually
not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on
# File to store the position in the journal
$IMJournalStateFile imjournal.state
#### TEMPLATES #####
# Dynamic File Name Templates
#
# ASA Dyn Template
template ( name="$asa_dyn" type="string"
string="/opt/logs/firewalls/cisco/%HOSTNAME%-%$YEAR%-%$MONTH%-%$DAY%.log")
# Fortigate Dyn Template
template ( name="$fort_dyn" type="string"
string="/opt/logs/firewalls/fortigate/%HOSTNAME%-%$YEAR%-%$MONTH%-%$DAY%.log")
# Juniper NetScreen Dyn Template
template ( name="$netscreen_dyn" type="string"
string="/opt/logs/firewalls/netscreen/%HOSTNAME%-%$YEAR%-%$MONTH%-%$DAY%.log")
# Juniper SRX Dyn Template
template ( name="$srx_dyn" type="string"
string="/opt/logs/firewalls/srx/%HOSTNAME%-%$YEAR%-%$MONTH%-%$DAY%.log")
# Cisco ACS and TACACS Dyn Template
template ( name="$auth_dyn" type="string"
string="/opt/logs/acs/%HOSTNAME%-%$YEAR%-%$MONTH%-%$DAY%.log")
# Cisco SourceFire IDS Dyn Template
template ( name="$snort_dyn" type="string"
string="/opt/logs/ids/%HOSTNAME%-%$YEAR%-%$MONTH%-%$DAY%.log")
# Unix Dyn Template
template ( name="$unix_dyn" type="string"
string="/opt/logs/unix/%HOSTNAME%-%$YEAR%-%$MONTH%-%$DAY%.log")
# Windows Dyn Template
template ( name="$windoz_dyn" type="string"
string="/opt/logs/windows/%HOSTNAME%-%$YEAR%-%$MONTH%-%$DAY%.log")
# Cisco Routers
template ( name="$crooter1_dyn" type="string"
string="/opt/logs/routers/cisco/%HOSTNAME%-%$YEAR%-%$MONTH%-%$DAY%.log")
# Catch all for non-categorized systems
template (name="$uncat_dyn" type="string"
string="/opt/logs/uncategorized/%HOSTNAME%-%$YEAR%-%$MONTH%-%$DAY%.log")
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
auth.info;authpriv.info;*.warn;daemon.* @unix-logs.corp.tnsi.com
auth.info;authpriv.info;*.warn;daemon.* @pcilog.corp.tnsi.com
####################################
ruleset (name="NetLogCollection"){
### Start Cisco ASA logging rules
if $msg contains " %ASA-" then { action(type="omfile" FileCreateMode="0755"
DirCreateMode="0755" FileOwner="XXXX" FileGroup="XXXX" DirGroup="XXXX"
DirOwner="XXXX" dynaFile="$asa_dyn") stop }
### END Cisco Section
### Start Fortigate logging rules
else if $msg contains " devname=" then { action(type="omfile"
FileCreateMode="0755" DirCreateMode="0755" FileOwner="XXXX"
FileGroup="XXXX" DirGroup="XXXX" DirOwner="XXXX" dynaFile="$fort_dyn") stop
}
### End Fortigate Section
#### Start Juniper NetScreen logging rules
else if $msg contains " NetScreen device_id=" then { action(type="omfile"
FileCreateMode="0755" DirCreateMode="0755" FileOwner="XXXX"
FileGroup="XXXX" DirGroup="XXXX" DirOwner="XXXX" dynaFile="$netscreen_dyn")
stop }
### END Netscren Section
### Start Juniper SRX logging rules
# Commenting out as the OR statements don't seem to work, matches on the
first $msg contains.
#else if $msg contains "RT_FLOW" or $msg contains " UI_" or $msg contains
"RT_FLOW:" then { action(type="omfile" FileCreateMode="0755"
DirCreateMode="0755" FileOwner="XXXX" FileGroup="XXXX" DirGroup="XXXX"
DirOwner="XXXX" dynaFile="$srx_dyn") stop }
else if $msg contains "RT_FLOW" then { action(type="omfile"
FileCreateMode="0755" DirCreateMode="0755" FileOwner="XXXX"
FileGroup="XXXX" DirGroup="XXXX" DirOwner="XXXX" dynaFile="$srx_dyn") stop
}
else if $msg contains " UI_" then { action(type="omfile"
FileCreateMode="0755" DirCreateMode="0755" FileOwner="XXXX"
FileGroup="XXXX" DirGroup="XXXX" DirOwner="XXXX" dynaFile="$srx_dyn") stop
}
else if $msg contains "RT_FLOW:" then { action(type="omfile"
FileCreateMode="0755" DirCreateMode="0755" FileOwner="XXXX"
FileGroup="XXXX" DirGroup="XXXX" DirOwner="XXXX" dynaFile="$srx_dyn") stop
}
else if $msg contains "RT_IDS" then { action(type="omfile"
FileCreateMode="0755" DirCreateMode="0755" FileOwner="XXXX"
FileGroup="XXXX" DirGroup="XXXX" DirOwner="XXXX" dynaFile="$srx_dyn") stop
}
else if $msg contains "RT_IDS:" then { action(type="omfile"
FileCreateMode="0755" DirCreateMode="0755" FileOwner="XXXX"
FileGroup="XXXX" DirGroup="XXXX" DirOwner="XXXX" dynaFile="$srx_dyn") stop
}
# Commenting out REGEX attempts to match SRX formatted logs.
#else if re_match ($msg,
"^[^[:space:]]+[[:space:]]+[^[:space:]]+[[:space:]]+[^[:space:]]+[[:space:]]+[^[:space:]]+-npe[^[:space:]]+[[:space:]]+[^:]+(W|\]|shd|fed):[[:space:]]")
then { action(type="omfile" FileCreateMode="0755" DirCreateMode="0755"
FileOwner="XXXX" FileGroup="XXXX" DirGroup="XXXX" DirOwner="XXXX"
dynaFile="$srx_dyn") stop }
#else if re_match ($msg,
"^[^[:space:]]+[[:space:]]+[^[:space:]]+[[:space:]]+[^[:space:]]+[[:space:]]+[^[:space:]]+-npe[^[:space:]]+[[:space:]]+[^:]+(W|\\]|shd|fed):[[:space:]]")
then { action(type="omfile" FileCreateMode="0755" DirCreateMode="0755"
FileOwner="XXXX" FileGroup="XXXX" DirGroup="XXXX" DirOwner="XXXX"
dynaFile="$srx_dyn") stop }
#else if re_match ($msg,
"^[^[:space:]]+[[:space:]]+[^[:space:]]+[[:space:]]+[^[:space:]]+[[:space:]]+[^[:space:]]+-npe[^[:space:]]+[[:space:]]+[^:]+(W|\\]|shd|fed):[[:space:]]")
then { action(type="omfile" FileCreateMode="0755" DirCreateMode="0755"
FileOwner="XXXX" FileGroup="XXXX" DirGroup="XXXX" DirOwner="XXXX"
dynaFile="$srx_dyn") stop }
### END SRX Section
### Start TACACS logging rules
else if ($programname == "CSCOacs_TACACS_Accounting") then {
action(type="omfile" FileCreateMode="0755" DirCreateMode="0755"
FileOwner="XXXX" FileGroup="XXXX" DirGroup="XXXX" DirOwner="XXXX"
dynaFile="$auth_dyn") stop }
### END TACACS Section
### Start Cisco ACS logging rules
# The following two lines for ACS has been commented out in hopes that the
OR line below will capture all the logs.
#else if ($programname == "CSCOacs_Passed_Authentications") then {
action(type="omfile" FileCreateMode="0755" DirCreateMode="0755"
FileOwner="XXXX" FileGroup="XXXX" DirGroup="XXXX" DirOwner="XXXX"
dynaFile="$auth_dyn") stop }
#else if ($programname == "CSCOacs_Administrative_and_Operational_Audit")
then { action(type="omfile" FileCreateMode="0755" DirCreateMode="0755"
FileOwner="XXXX" FileGroup="XXXX" DirGroup="XXXX" DirOwner="XXXX"
dynaFile="$auth_dyn") stop }
else if ($programname == "CSCOacs_Passed_Authentications" or
"CSCOacs_Administrative_and_Operational_Audit" or
"CSCOacs_Failed_Attempts") then { action(type="omfile"
FileCreateMode="0755" DirCreateMode="0755" FileOwner="XXXX"
FileGroup="XXXX" DirGroup="XXXX" DirOwner="XXXX" dynaFile="$auth_dyn") stop
}
# The following line in inplace in the event that the OR statement above
does not capture the Admin and Operation Audit logs.
else if ($programname == "CSCOacs_Administrative_and_Operational_Audit")
then { action(type="omfile" FileCreateMode="0755" DirCreateMode="0755"
FileOwner="XXXX" FileGroup="XXXX" DirGroup="XXXX" DirOwner="XXXX"
dynaFile="$auth_dyn") stop }
else if ($programname == "CSCOacs_Failed_Attempts") then {
action(type="omfile" FileCreateMode="0755" DirCreateMode="0755"
FileOwner="XXXX" FileGroup="XXXX" DirGroup="XXXX" DirOwner="XXXX"
dynaFile="$auth_dyn") stop }
### END ACS Section
### Start Cisco IDS logging rules
else if ($programname == "SFIMS") then { action(type="omfile"
FileCreateMode="0755" DirCreateMode="0755" FileOwner="XXXX"
FileGroup="XXXX" DirGroup="XXXX" DirOwner="XXXX" dynaFile="$snort_dyn")
stop }
### END Cisco IDS Section
### Start Unix logging rules
else if ($programname == "sshd") then { action(type="omfile"
FileCreateMode="0755" DirCreateMode="0755" FileOwner="XXXX"
FileGroup="XXXX" DirGroup="XXXX" DirOwner="XXXX" dynaFile="$unix_dyn") stop
}
else if ($programname == "cron") then { action(type="omfile"
FileCreateMode="0755" DirCreateMode="0755" FileOwner="XXXX"
FileGroup="XXXX" DirGroup="XXXX" DirOwner="XXXX" dynaFile="$unix_dyn") stop
}
else if ($programname == "xntpd") then { action(type="omfile"
FileCreateMode="0755" DirCreateMode="0755" FileOwner="XXXX"
FileGroup="XXXX" DirGroup="XXXX" DirOwner="XXXX" dynaFile="$unix_dyn") stop
}
else if ($programname == "inetd") then { action(type="omfile"
FileCreateMode="0755" DirCreateMode="0755" FileOwner="XXXX"
FileGroup="XXXX" DirGroup="XXXX" DirOwner="XXXX" dynaFile="$unix_dyn") stop
}
### END Unix Section
### Start Windows Snare logging rules
else if ($programname == "WinEventLog") then { action(type="omfile"
FileCreateMode="0755" DirCreateMode="0755" FileOwner="XXXX"
FileGroup="XXXX" DirGroup="XXXX" DirOwner="XXXX" dynaFile="$windoz_dyn")
stop }
#else if $msg contains "MSWinEventLog" then { action(type="omfile"
FileCreateMode="0755" DirCreateMode="0755" FileOwner="XXXX"
FileGroup="XXXX" DirGroup="XXXX" DirOwner="XXXX" dynaFile="$windoz_dyn")
stop }
### END Windows Section
### Start Cisco Router logging rules
else if $msg contains " %SSH-" then {action (type="omfile"
FileCreateMode="0755" DirCreateMode="0755" FileOwner="XXXX"
FileGroup="XXXX" DirGroup="XXXX" DirOwner="XXXX" dynaFile="crooters1_dyn")
stop }
else if $msg contains " %SEC_" then { action (type="omfile"
FileCreateMode="0755" DirCreateMode="0755" FileOwner="XXXX"
FileGroup="XXXX" DirGroup="XXXX" DirOwner="XXXX" dynaFile="crooter1_dyn")
stop }
else if $msg contains " %SEC-" then { action (type="omfile"
FileCreateMode="0755" DirCreateMode="0755" FileOwner="XXXX"
FileGroup="XXXX" DirGroup="XXXX" DirOwner="XXXX" dynaFile="crooter1_dyn")
stop }
else if $msg contains " %SNMP-" then { action (type="omfile"
FileCreateMode="0755" DirCreateMode="0755" FileOwner="XXXX"
FileGroup="XXXX" DirGroup="XXXX" DirOwner="XXXX" dynaFile="crooter1_dyn")
stop }
### END Cisco Router Section
#
### Start Catchall Logging for any system not categorized by rules above.
else { action(type="omfile" FileCreateMode="0755" DirCreateMode="0755"
FileOwner="XXXX" FileGroup="XXXX" DirGroup="XXXX" DirOwner="XXXX"
dynaFile="$uncat_dyn") stop }
}
#### Bind UDP module for inbound connections on port 514 and log
# Region 1 Collection on UDP 514
input (type="imudp" port="514" ruleset="NetLogCollection")
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
More information about the rsyslog-notify
mailing list